Every organization doing business with the government will have to name a real person as account administrator and go through a three-point ID proofing process.
The General Services Administration is cracking down on fake and anonymous account managers in SAM.gov.
GSA’s Integrated Award Environment has been consolidating various procurement websites and tools under a single site under SAM.gov. The new site includes the entity registration process previously housed on the old SAM.gov, including obtaining the unique identifier required for any organization doing business with the government—contractors, grantees, academic institutions, etc.
IAE officials have also been working on a number of security upgrades, including plans to authenticate the real-world identity of all entity administrators—the people tasked with managing the SAM registration accounts at each private sector organization. Officials expect to kick those plans into full gear this year.
According to an informational slide deck obtained by Nextgov, the identity proofing process—administered through GSA’s single sign-on program, Login.gov—looks to prevent unauthorized access to entity registration accounts and, specifically, access to sensitive data that could harm or damage an entity.
As part of the process, administrators will be asked to submit an image of their state-issued photo ID, Social Security number and a valid phone number. That information will be confirmed with the issuing agency—state department of motor vehicles, Social Security Administration, etc.—then compared with other registrant data.
GSA officials noted the authentication data will be encrypted in transit and at rest, and will not be “stored at either SAM.gov or Login.gov,” according to the slide deck.
Identity proofing started off as an optional security measure for non-federal organizations when the two SAMs—the legacy SAM.gov and beta.SAM.gov—were integrated in May 2021. Officials said more than 20,000 administrators completed the process voluntarily since that time.
But going forward, ID confirmation is going to be a requirement for everyone.
Organizations that have not gone through the identity proofing process voluntarily will be required to do so starting this fiscal year, which began Oct. 1.
Those that aren’t able or who fail to complete the process for whatever reason will have a grace period to continue as administrators for their accounts. However, all non-federal entities will have to be fully authenticated before the end of fiscal 2022.
While GSA has established this loose timeframe, officials have yet to set hard dates for these requirements.
Officials encouraged administrators to go through the early process to avoid a hurry-up situation when the full requirement is established, as well as to have an opportunity to provide feedback and shape the way the process is crafted going forward.